Krebs on Security

In-depth security news and investigation

Posts Tagged: ZeuS Trojan

As documented time and again on this blog, cybercrooks are often sloppy or lazy enough to leave behind important clues about who and where they are. But from time to time, cheeky crooks will dream up a trap designed to look like they’re being sloppy when in fact they’re trying to trick security researchers into being sloppy and infecting their computers with malware.

A Nuclear Exploit Pack administrative panel made to serve malware.

According to Peter Kruse, a partner and cybercrime specialist with CSIS Security Group, that’s what happened late last month when a Twitter user “Paunchbighecker” started messaging security researchers on Twitter. Paunch the nickname of a Russian hacker who for the past few years has sold the wildly popular Blackhole exploit kit, a crimeware package designed to be stitched into hacked or malicious sites and foist browser exploits on visitors. The person behind Paunchbighecker Twitter account probably figured that invoking Paunch’s name and reputation would add to the allure of his scam.

The link that Paunchbighecker sent to researchers displays what appears to be the back-end administrative panel for a Nuclear Pack exploit kit. In fact, the landing page was a fake merely made to look like a Nuclear pack statistics panel. Rather, embedded inside the page itself is a series of active Java exploits.

Update, 1:56 p.m.: Security researcher Kafeine said he does not believe this was an attack against security researchers, but rather an intentional leak of badguy credentials. Furthermore, Kafeine notes that visitors to the site link in the Twitter messages would have to take an additional step in order to infect their own computers.

One of the challenges in malware research is separating the truly novel innovations in malcoding from new nasties that merely include nominal or superficial tweaks. This dynamic holds true for both malware researchers and purveyors, albeit for different reasons. Researchers wish to avoid being labeled alarmist in calling special attention to what appears to be an emerging threat that turns out to be old news; the bad guys just want to avoid getting scammed into paying for an old malware kit dressed up as the new next big thing.

Source: RSA

On Tuesday, RSA Security somewhat breathlessly announced that it had spotted KINS, a ZeuS Trojan variant that looked like “a new professional-grade banking Trojan” that was likely to emerge as the “next Trojan epiphany” in the cybercrime underground. RSA said the emergence of KINS was notable because the reigning ZeuS Trojan derivative – the Citadel Trojan — had long ago been taken off the market, and that crooks were anxiously awaiting the development and sale of a new botnet creation kit based on the leaked ZeuS source code.

“Since December 2012, when the spokesperson of the Citadel team took the Trojan off the semi-open underground market, cyber criminals have been scrambling to find a replacement,” RSA’s Limor Kessemwrote. “In early February 2013, RSA fraud intelligence researchers began tracing hints about a new crimeware tool called ‘KINS’. At the time, the information about the Trojan just a rumor, but in sporadic comments, fraudsters were associating a Trojan named KINS with the Citadel source code, looking for its developer in order to reach out to him and purchase KINS. The rumors were soon hushed and ties to Citadel were denied, mostly in what appeared as a case of fearful fraudsters who did not want to be denied the possibility to buy the next Trojan.”

But according to Fox-IT, a security research and consulting group based in The Netherlands, KINS has been used in private since at least December 2011 to attack financial institutions in Europe, specifically Germany and The Netherlands. Fox-IT says KINS is short for “Kasper Internet Non-Security,” which is likely the malware author’s not-so-subtle dig at the security suite offered by Russian antivirus maker Kaspersky.

Source: Fox-IT

In its own analysis of the banking Trojan malware, Fox-IT said KINS is fully based on the leaked ZeuS source code, and includes only minor additions. What’s more, Fox-IT notes, many of the users of KINS have already migrated to yet another ZeuS variant, suggesting that perhaps they were unsatisfied with the product and that it didn’t deliver as advertised.

“While the technical additions are interesting, they are far from ground breaking,” wrote Michael Sandee, principal security expert at Fox-IT. “With an array of fairly standard features, and relatively simple additions to the standard ZeuS, such as reporting of installed security product information, the malware platform does not bring anything really new. There are however some features of this malware, not aimed at the functionality for the person using it, but aimed at complicating malware analysis.”

OLD MALWARE, NEW PAINTJOB?

From the bad-guy perspective, this infighting over malware innovation is on display in a new malware offering that surfaced today on a semi-private forum: The seller is pitching a resurrected and modified version of the DNSChanger Trojan, a global contagion that once infected millions of PCs. The DNSChanger botnet, which hooked into infected systems quite deeply and spread to both Windows and Mac computers, was eradicated only by a worldwide, concerted digital quarantine and vaccination effort — combined with the arrest of its creators.

The source code for “Carberp” — a botnet creation kit coded by a team of at least two dozen hackers who used it to relieve banks of an estimated $250 million — has been posted online for anyone to download. The code leak offers security experts a fascinating and somewhat rare glimpse into the malcoding economy, but many also worry that its publication will spawn new hybrid strains of sophisticated banking malware.

Carberp admin panel. Source: Xylibox.blogspot.com

The leak appears to have begun, as these things often do, with the sale of the source code in a semi-private cybercrime forum. On June 5, a member of the Lampeduza crime forum said he was selling the Carberp source to a single buyer, with a starting price of $25,000. The seller said he was helping out one of the developers of the code, who was short on cash.

By mid-June, links to download the entire Carberp archive were being posted on multiple forums, as first documented by Trusteer. Since then, experts from around the world have been tearing through the two-gigabyte archive to learn more about the code and its potential for future abuse in new and existing malware creations.

“Leaking the source code was not like the leaking of a weapon, but more like the leaking of a tank factory,” wrote one Ukrainian tech blogger on Livejournal.

According to Peter Kruse, a specialist with the Copenhagen-based CSIS Security Group, the package includes the Carberp bootkit; this is a component that can subvert the Patchguard protection in Windows 7 x86 and 64-bit systems so that the malware loads itself at the most basic levels of the system (Kruse said the bootkit component is incomplete and does not work against Windows 8 PCs).

Also included are components of a Trojan known as UrSnif, as well as an extremely popular and prevalent rival botnet creation kit called Citadel.

“As with the leakage of the ZeuS source code, back in May 2011, this means that criminals have every chance to modify and even add new features to the kit,” Kruse wrote, noting that the Carberp archive also contains several text files that appear to be records of private chats and various usernames and passwords.

CHEEKY CODERS

Last year, Russian and Ukrainian authorities arrested a loosely-affiliated group of hackers accused of programming and using Carberp to rob millions from bank accounts of their countrymen. According to an account of the law enforcement action in the Russian news outlet Kommersant, Carberp was coded by a team of about 20-25 people under the age of 30. Most of the men had never met face-to-face. Each worked remotely and was responsible for developing specific modules of the Carberp code, components that were then transmitted to a main development server in Odessa, Ukraine.

Some of the leaked Carberp source code archives.

Members of the coding forum kernelmode.info have been poring over comments left in the code by the Carberp developers. One set of comments, translated from Russian by a KrebsOnSecurity reader, suggests the developer was frustrated by having to program within the confines of what he considered sloppy operating system or perhaps Web browser plugin code.

“I will rip off someone’s hands for this kind of code!” the unidentified developer noted in one section of the Carberp source. “This stupid thing does God-knows-what.”

The U.S Federal Bureau of Investigation is warning about an uptick in online extortion scams that impersonate the FBI and frighten people into paying fines to avoid prosecution for supposedly downloading child pornography and pirated content. This post offers an inside look at one malware gang responsible for orchestrating such scams.

Reveton ransomware scam page impersonating the FBI

In an alert published last week, the FBI said that The Internet Crime Complaint Center — a partnership between the FBI and the National White Collar Crime Center — was “getting inundated with complaints” from consumers targeted or victimized by the scam, which uses drive-by downloads to hijack host machines. The downloaded malware displays a threatening message (see image to the right) and blocks the user from doing anything else unless he pays the fine or finds a way to remove the program.

The FBI alert said the attacks have surged with the help of a “new drive-by virus” called Reveton; in fact, Reveton and its ilk are hardly new. These types of attacks have been around for years, but traditionally have targeted European users. The scam pages used in the attacks mimic official notices from various national police or investigatory agencies, corresponding to the country in which the victim resides. For a breakdown of these Reveton-related ransomware scam pages by country, see this comprehensive gallery set up at botnets.fr.

Reveton.A is blamed in these most recent attacks, and the FBI said it appears Reveton is being distributed in conjunction with Citadel, an offshoot of the ZeuS Trojan that I have writtenabout on several occasions. It is certainly possible that crooks are using Citadel to deploy Reveton, but as I’ll illustrate below, it seems more likely that the attackers in these cases are using exploit kits like BlackHole to plant both threats on victim PCs.

INSIDE A REVETON MALWARE GANG

Operations of one Reveton crime group. Source: ‘Kafeine,’ from botnets.fr.

At least that’s the behavior that’s been observed by a ragtag group of researchers that has been tracking Reveton activity for many months. Some of the researchers are associated with botnets.fr, but they’ve asked to remain nameless because of the sensitivity of their work. One of them, who goes by the screen name “Kafeine,” said much of the Reveton activity traces back to a group that is controlling the operation using reverse proxies at dozens of servers scattered across data centers globally (see this PDF for a more detailed look at the image above).

Kafeine said the groups involved in spreading Reveton are constantly fine-tuning all aspects of their operations, from the scam pages to solidifying their back-end hosting infrastructure. The latest versions of Reveton, for example, serve the scam pages from an encrypted (https://) connection, and only cough up the pages when an infected machine visits and sends a special request. Continue reading →

New data suggests that cyber attacks aimed at small businesses have doubled over the past six months, a finding that dovetails with my own reporting on companies that are suffering six-figure losses from sophisticated cyber heists.

According to Symantec, attacks against small businesses rose markedly in the first six months of 2012 compared to the latter half of 2011. In its June intelligence report, the security firm found that 36 percent of all targeted attacks (58 per day) during the last six months were directed at businesses with 250 or fewer employees. That figure was 18 percent at the end of Dec. 2011.

“There appears to be a direct correlation between the rise in attacks against smaller businesses and a drop in attacks against larger ones,” said Paul Wood, a security intelligence manager at Symantec. “It almost seems attackers are diverting their resources directly from the one group to the other.”

I’m seeing the same uptick, and have been hearing from more small business victims than at any time before — often several times per week.

In the second week of July, for example, I spoke with three different small companies that had just been hit by cyberheists (one of the victims asked not to be named, and the other didn’t want their case publicized). On July 10, crooks who’d broken into the computers of a fuel supplier in southern Georgia attempted to transfer $1.67 million out of the company’s accounts. When that failed, they put through a fraudulent payroll batch totaling $317,000, which the victim’s bank allowed.

The bank, First National Bank of Coffee County, managed to claw back an unusually large amount — approximately $260,000. The fuel company hired an outside forensics firm to investigate, and found that the trouble started on July 9, when the firm’s controller clicked a link embedded in an image in an email designed to look as though it was sent by the U.S. Postal Service and alerting the recipient about a wayward parcel. The link in the image loaded content from a site hosting the BlackHole exploit kit, which downloaded the ZeuS Trojan to the controller’s PC.

Interestingly, the fuel company and its bank said one of the money mules that the attackers recruited to help launder the stolen funds turned out to be an employee of Wells Fargo from Alabama. Many money mules are simply not the brightest bulbs, and it is usually difficult to prove that they weren’t scammed as well (because more often than not, the mules end up losing money). But one would think people who work for banks should be at least be aware of these schemes, and held to a higher standard. What’s more, if this mule wasn’t complicit then he probably suspected something wasn’t right, because he had the funds sent to an account he controlled at a local credit union in Birmingham — rather than an account at Wells Fargo.

By the way, this is the second time I’ve encountered a money mule working at a major bank. Last year, I tracked down a woman at PNC Bank in Maryland who was hired by a mule recruitment gang and later helped move nearly $4,500 from a victim business in North Carolina to cybercriminals in Ukraine. She claimed she did not understand what she had done until I contacted her.

A decision handed down by a federal appeals court this week may make it easier for small businesses owners victimized by cyberheists to successfully recover stolen funds by suing their bank.

The U.S. Federal Court of Appeals for the First Circuit has reversed a decision from Aug. 2011, which held that Ocean Bank (now People’s United) was not at fault for a $588,000 cyberheist in 2009 against one of its customers — Sanford, Me. based Patco Construction Co. The appeals court sent specific aspects of the earlier decision back to the lower court for review, but it encouraged both parties to settle the matter out of court.

The appeals court in Boston called the bank’s security systems “commercially unreasonable,” reversing a lower court ruling that Ocean Bank’s reliance on passwords and secret questions was in line with guidance set out by federal banking regulators. A copy of the decision is here (PDF).

Charisse Castagnoli, a bank fraud expert and independent security consultant, said the decision could open the door lawsuits from small businesses that have been similarly victimized with the help of outdated security procedures at their banks.

“What this opinion offers is a strong basis for victims to challenge the security implementations of their banks regardless of whether they agreed that the implementation was ‘commercially reasonable’ at a single point in time in a ‘shrink wrap’ type contract,” Castagnoli said.

Facebook is attempting to nip in the bud a new social networking worm that spreads via an application built to run seamlessly as a plugin across multiple browsers and operating systems. In an odd twist, the author of the program is doing little to hide his identity, and claims that his “users” actually gain a security benefit from installing the software.

At issue is a program that the author calls “LilyJade,” a browser plugin that uses Crossrider, an emerging programming framework designed to simplify the process of writing plugins that will run on Google Chrome, Internet Explorer, and Mozilla Firefox. The plugin spreads by posting a link to a video on a user’s Facebook wall, and friends who follow the link are told they need to accept the installation of the plugin in order to view the video. Users who install LilyJade will have their accounts modified to periodically post links that help pimp the program.

The goal of LilyJade is to substitute code that specifies who should get paid when users click on ads that run on top Internet properties, such as Facebook.com, Yahoo.com, Youtube.com, Bing.com, Google.com and MSN.com. In short, the plugin allows customers to swap in their own ads on virtually any site that users visit.

I first read about LilyJade in an analysis published earlier this month by Russian security firm Kaspersky Labs, and quickly recognized the background from the screenshot included in that writeup as belonging to user from hackforums.net. This is a relatively open online hacking community that is often derided by more elite and established underground forums because it has more than its share of adolescent, novice hackers (a.k.a. “script kiddies”) who are eager to break onto the scene, impress peers, and make money.

It turns out that the Hackforums user who is selling this plugin is doing so openly using his real name. Phoenix, Ariz. based hacker Dru Mundorff sells the LilyJade plugin for $1,000 to fellow Hackforums members. Mundorff, 29, says he isn’t worried about the legalities of his offering; he’s even had his attorney sign off on the terms of service that each user is required to agree to before installing it.

“We’re not forcing any users to be bypassed, exploited or anything like that,” Mundorff said in a phone interview. “At that point, if they do agree, it will allow us to make posts on their wall through our system.”

Mundorff claims his software is actually a benefit to Facebook and the Internet community at large because it is designed to also remove infections from some of the more popular bot and Trojan programs currently for sale on Hackforums, including Darkcomet, Cybergate, Blackshades and Andromeda (the latter being a competitor to the password-stealing ZeuS Trojan that hides behind Facebook comments). Mundorff maintains that his plugin will result in a positive experience for the average Facebook user, although he acknowledges that customers who purchase LilyJade can modify at will the link that “users” are forced to spread, and may at any time swap in links to malware or exploit sites. Continue reading →

Lost in the annals of campy commercials from the 1980s is a series of ads that featured improbable scenes between two young people (usually of the opposite sex) who always somehow caused the inadvertent collision of peanut butter and chocolate. After the mishap, one would complain, “Hey you got your chocolate in my peanut butter!,” and the other would shout, “You got your peanut butter in my chocolate!” The youngsters would then sample the product of their happy accident and be amazed to find someone had already combined the two flavors into a sweet and salty treat that is commercially available.

It may be that the Internet security industry is long overdue for its own “Reese’s moment.” Many security experts who got their start analyzing malware and tracking traditional cybercrime recently have transitioned to investigating malware and attacks associated with so-called advanced persistent threat (APT) incidents. The former centers on the theft of financial data that can be used to quickly extract cash from victims; the latter refers to often prolonged attacks involving a hunt for more strategic information, such as intellectual property, trade secrets and data related to national security and defense.

Experts steeped in both areas seem to agree that there is little overlap between the two realms, neither in the tools the two sets of attackers use, their methods, nor in their motivations or rewards. Nevertheless, I’ve heard some of these same experts remark that traditional cyber thieves could dramatically increase their fortunes if they only took the time to better understand the full value of the PCs that get ensnared in their botnets.

In such a future, Chinese nationalistic hackers, for example, could avoid spending weeks or months trying to break into Fortune 500 companies using carefully targeted emails or zero-day software vulnerabilities; instead, they could just purchase access to PCs at these companies that are already under control of traditional hacker groups.

Every now and then, evidence surfaces to suggest that bridges between these two disparate worlds are under construction. Last month, I had the opportunity to peer into a botnet of more than 3,400 PCs — most of them in the United States. The systems were infected with a new variant of the Citadel Trojan, an offshoot of the ZeuS Trojan whose chief distinguishing feature is a community of users who interact with one another in a kind of online social network. This botnet was used to conduct cyberheists against several victims, but it was a curious set of scripts designed to run on each infected PC that caught my eye.

Recent ebanking heists — such as a $121,000 online robbery at a New York fuel supplier last month — suggest that cyber thieves increasingly are cashing out by sending victim funds to prepaid debit card accounts. The shift appears to be an effort to route around a major bottleneck for these crimes: Their dependency on unreliable money mules.

Mules traditionally have played a key role in helping thieves cash out hacked accounts and launder money. They are recruited through email-based work-at-home job scams, and are told they will be helping companies process payments. In a typical scheme, the mule provides her banking details to the recruiter, who eventually sends a fraudulent transfer and tells the mule to withdraw the funds in cash, keep a small percentage, and wire the remainder to co-conspirators abroad.

Some of the mule gangs I’ve identified.

But mules are hardly the most expedient method of extracting funds. To avoid arousing suspicion (and triggering anti-money laundering reporting requirements by the banks), cyber crooks usually send less than $10,000 to each mule. In other words, for every $100,000 that the thieves want to steal, they need to have at least 10 money mules at the ready.

In reality, though, that number is quite often closer to 15 mules per $100,000. That’s because the thieves may send much lower amounts to mules that bank at institutions which have low transfer limit triggers. For instance, they almost always limit transfers to less than $5,000 when dealing with Bank of America mules, because they know transfers for more than that amount to consumer accounts will raise fraud flags at BofA.

Thus, the average mule is worth up to $10,000 to a cybercrook. Unsurprisingly, there is much competition and demand for available money mules in the cybercriminal underground. I’ve identified close to two dozen distinct money mule recruitment networks, most of which demand between 40-50 percent of the fraudulent transfer amounts for their trouble. Not only are mule expensive to acquire, they often take weeks to groom before they’re trusted with transfers.

But these mules also come with their own, well, baggage. I’ve interviewed now more than 200 money mules, and it’s hard to escape the conclusion that many mules simply are not the sharpest crayons in the box. They often have trouble following simple instructions, and frequently screw up important details when it comes time to cash out (there are probably good reasons that a lot of these folks are unemployed). Common goofs include transposing digits in account and routing numbers, or failing to get to the bank to withdraw the cash shortly after the fraudulent transfer, giving the victim’s bank precious time to reverse the transaction. In isolated cases, the mules simply disappear with the money and stiff the cyber thieves.

In several recent ebanking heists, however, thieves appear to have sent at least half of the transfers to prepaid cards, potentially sidestepping the expense and hassle of hiring and using money mules. For example, last month cyber crooks struck Alta East, a wholesale gasoline dealer in Middletown, N.Y. According to the firm’s comptroller Debbie Weeden, the thieves initiated 30 separate fraudulent transfers totaling more than $121,000. Half of those transfers went to prepaid cards issued by Metabank, a large prepaid card provider.

Prepaid cards are ideal because they can be purchased anonymously for small amounts ($25-$100 values) from supermarkets and other stores. A majority of these low-value cards are not reloadable, unless the cardholder goes online and provides identity information that the prepaid card issuer can tie to a legitimate credit holder. After that card is activated, it can be reloaded remotely by transferring or depositing funds into the account, and it can be used like a debit, ATM or credit card.

“The information we gather in opening it is the same information you’d be asked if you were opening a credit card account online,” said Brad Hanson, president of Metabank’s payment systems division. “We do checks against different public resources like Experian and LexisNexis to verify that all the information matches and is accurate, and that we have a reasonable belief that you are the person applying for the card.”

The trouble is, the thieves pulling these ebanking heists have access to massive amounts of stolen data that can be used to fraudulently open up prepaid cards in the names of people whose identities and computers have already been hijacked. Once those cards are approved, the crooks can simply transfer funds to them from cyberheist victims, and extract the cash at ATMs. Alternatively, wire transfer locations like Western Union even allow senders to use their debit cards to execute a “debit spend,” thereby sending money overseas directly from the card.

Last week was a bad one to be a cybercrook. Authorities in Russia arrested several men thought to be behind the Carberp banking Trojan, and obtained a guilty verdict against the infamous spammer Leo Kuvayev. In the United States, a jury returned a 33-month jail sentence against a Belarusian who ran a call service for cyber thieves. At the same time, U.S. prosecutors secured a guilty plea against a Russian man who was part of a gang that stole more than $3 million from U.S. businesses fleeced with the help of the ZeuS Trojan.

Kuvayev in Thailand, 2001

In August 2010, KrebsOnSecurity broke the news that spam king Leonid “Leo” Aleksandorovich Kuvayev, was being held in a Russian prison awaiting multiple child molestation charges. Late Friday, a Moscow City court judge rendered a guilty verdict against Kuvayev for crimes against the sexual integrity of minors, according to Russian news agency Lenta.ru.

In 2005, the attorney general of Massachusetts successfully sued Kuvayev for violations of the CAN-SPAM Act, a law that prohibits the sending of e-mail that includes false or misleading information about the origins of the message, among other restrictions. Armed with a massive trove of spam evidence gathered largely by lawyers and security experts at Microsoft Corp., the state showed that Kuvayev’s operation, an affiliate program known as BadCow, was responsible for blasting tens of millions of junk e-mails peddling everything from pirated software to counterfeit pharmaceuticals and porn.

In an apparent bid to sidestep those charges, Kuvayev fled the United States for Russia. A Massachusetts judge later convicted Kuvayev of CAN-SPAM violations, and ordered him to pay $37 million in civil penalties. FBI officials say that at the time, BadCow was raking in more than $30 million each year.

Russian prosecutors said Kuvayev sexually abused at least 11 girls aged 13 to 18 years, many of them suffering from mental and psychological problems and pupils of orphanages and boarding schools nearby Kuvayev’s business and residence in Moscow.

According to information obtained by KrebsOnSecurity, Russian prosecutors had help from Kuvayev’s old nemesis Microsoft, which had hired a local forensics company in 2010 to keep tabs on his activities. Microsoft’s Samantha Doerr confirmed that Microsoft Russia consulted with Moscow-based cyber forensics firm Group-IB, but said the nature of the investigation was related to Kuvayev’s spamming activities. Lenta.ru reports that it’s not clear when Kuvayev may be sentenced, but that the most serious offense he faces carries a penalty of 20 years in prison.

Group-IB also assisted in another investigation that bore fruit last week: The arrest of eight men — including two ringleaders from Moscow — alleged to have been responsible for seeding computers worldwide Carberp and RDPdor, powerful banking Trojans. Russian authorities say the crime gang used the malware to raid at least 130 million rubles (~$4.43 million USD) from more than 100 banks around the world, and from businesses in Russia, Germany and the Netherlands. Russian police released a video showing one of the suspects loudly weeping in the moments following a morning raid on his home.

The arrests help explain why the makers of Carberp abruptly stopped selling the Trojan late last year. Until recently, Carberp was sold on shadowy underground forums for more than $9,000 per license. In the screen shot below, a lead coder for the Carberp Trojan can be seen announcing on Nov. 1, 2011 that he will be immediately suspending new sales of the malware, and will not be reachable going forward. Continue reading →